CIS benchmarks for securing WordPress

Keeping a WordPress site secure is a constant challenge. With hackers targeting vulnerabilities every day, many site owners rely only on plugins or ad-hoc fixes. While those tools are useful, they often don’t go far enough. To truly harden your site and meet compliance standards, you need to apply structured, industry-recognized guidance. That’s where CIS benchmarks for securing WordPress come in.

CIS (Center for Internet Security) benchmarks provide best-practice configuration guidelines that help you reduce risk, protect sensitive data, and maintain compliance. In this guide, we’ll explore what the benchmarks are, how they apply to WordPress, and practical steps you can take to implement them.

• CIS benchmarks are trusted, consensus-based security guidelines used worldwide
• Applying them to WordPress strengthens your site against known vulnerabilities
• You can use CIS benchmarks alongside security plugins for layered protection
• Step-by-step hardening recommendations help IT teams and site owners meet compliance standards
• We’ll cover practical examples, missing gaps from other guides, and expert insights

CIS benchmarks are configuration guides developed by the Center for Internet Security. They cover systems, applications, and cloud services – from Windows servers to WordPress hosting environments.

Each benchmark is created through a consensus process involving security professionals, system administrators, and industry experts. The goal is to define secure settings that balance usability and protection.

For WordPress, CIS benchmarks typically focus on:

• Secure server configurations (Linux, Apache, Nginx, PHP, MySQL)
• Database access and permissions
• File system restrictions
• Authentication and access control
• Logging and monitoring practices

By following these, organizations can ensure their WordPress installations align with proven security standards.

WordPress powers over 40% of the web, making it an attractive target for attackers. While plugins like All-In-One Security (AIOS) help reduce risks, they can’t cover every server-level or compliance requirement.

CIS benchmarks fill this gap by:

• Providing a structured checklist for hardening WordPress and its environment
• Helping you achieve compliance with frameworks like ISO 27001, HIPAA, and GDPR
• Standardizing security practices across teams or hosting environments
• Offering guidance that goes beyond common plugin recommendations

If you run a hosting company, manage client sites, or handle sensitive data, CIS benchmarks are especially valuable.

CIS doesn’t publish a dedicated “WordPress benchmark,” but you can adapt server, application, and CMS benchmarks to secure your site. Below are practical steps grouped by key areas.

• Use the latest Linux distribution with regular security patches
• Configure firewall rules to limit open ports
• Disable unnecessary services like FTP, Telnet, or unused PHP modules
• Enforce secure file permissions (e.g., 644 for files, 755 for directories)
• Require SSL/TLS certificates for all connections

Example CIS mapping: CIS Linux Benchmark recommends disabling root login over SSH, which directly reduces the chance of brute-force attacks on your server.

• Create a dedicated database user with only the permissions needed by WordPress
• Change the default WordPress database prefix from wp_ to something unique
• Regularly back up databases and test restorations
• Use strong, randomly generated passwords

Example CIS mapping: CIS MySQL Benchmark suggests disabling anonymous accounts and restricting host access, both crucial for WordPress database security.

• Enforce strong passwords for all users
• Apply two-factor authentication (2FA)
• Limit administrator accounts to essential users only
• Review user roles regularly to ensure least privilege

Example CIS mapping: CIS benchmarks recommend lockout policies after failed login attempts.

Taking a few extra steps to harden your WordPress configuration can make a big difference to your site’s overall security.

Disable file editing in the dashboard

Add the following line to your wp-config.php file to prevent users from editing theme and plugin files directly from the WordPress admin area:

define('DISALLOW_FILE_EDIT', true);

Restrict access to wp-config.php and .htaccess files

These files contain critical information about your WordPress setup. Add this rule to your .htaccess file to deny public access to wp-config.php:

<Files "wp-config.php">
Require all denied
</Files>

Additionally, set the file permissions for wp-config.php to 400 or 440 for extra protection.

Protect your includes folder

Since your WordPress includes are not intended to be publicly accessible, you can block access to them by adding a mod_rewrite rule in your .htaccess file:

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# BEGIN WordPress

Keep WordPress, themes, and plugins updated automatically

Enabling automatic updates helps ensure that your site always benefits from the latest security patches and fixes.

Use a web application firewall (WAF)

Either through your hosting provider or a security plugin, a WAF provides an extra layer of protection against common attacks.

• Enable audit logs for logins, file changes, and plugin activity
• Use AIOS activity logs for user monitoring
• Store logs securely and review them regularly for unusual behavior

Example CIS mapping: CIS recommends centralized log management. You can export AIOS logs into your SIEM for compliance.

• Enable 2FA and strong password enforcement
• Disable file editing in the dashboard
• Regularly review user accounts and roles
• Keep backups up to date

• Use staging environments to test updates before production
• Apply least-privilege principles for database connections
• Restrict access to sensitive files in version control
• Document changes for security audits

• Build server images aligned with CIS Linux/Apache/MySQL benchmarks
• Apply root login restrictions and firewall rules at scale
• Centralize and monitor logs from all WordPress sites
• Offer CIS compliance as a value-add to clients

Imagine a WooCommerce store handling customer payment data. The site owner already uses AIOS for application-level protection, but they want to align with CIS benchmarks for compliance.

• Server level: The hosting provider disables root SSH login and applies firewalls (CIS Linux benchmarks)
• Database level: The developer removes anonymous accounts and sets a unique DB prefix (CIS MySQL benchmarks)
• WordPress level: The owner enforces 2FA, disables file editing, and monitors AIOS activity logs (CIS app hardening)

Together, these steps bring the site closer to compliance while reducing both everyday and advanced threats.

Too often, WordPress security is reactive – adding plugins after an incident. CIS benchmarks help change this mindset. They give you a proactive, standards-based framework that ensures your site isn’t just secure today, but resilient long term.

CIS benchmarks give site owners, developers, and IT teams a proven framework for hardening their environments. By aligning your site with these standards, you reduce vulnerabilities, meet compliance requirements, and build long-term resilience against attacks.

But benchmarks alone aren’t enough. True protection comes from pairing configuration hardening with active, ongoing defenses. That’s where tools like AIOS and UpdraftPlus step in – adding features such as 2FA, brute-force protection, automatic backups, and one-click restores.

Whether you’re a site owner, developer, or hosting provider, adopting CIS benchmarks is a proactive step toward keeping WordPress secure.